PGP Information


Overview

What is PGP/GPG?

PGP (Pretty Good Privacy) is an encryption program that works on most computing platforms. It is fairly easy to use, and there are viable free versions available in addition to the commercial version. The open-source version of PGP, known as the GPG (Gnu Privacy Guard) program, adheres to the OpenPGP standard and is interoperable with all versions of PGP, and is not restricted to non-commercial use. There are numerous front end applications available for GPG to facilitate encryption of email and other files, and it can also be executed completely on the command line. Unless otherwise specified, the term "PGP" on this page refers to both freeware and commercial PGP, as well as Gnu Privacy Guard.

US law formerly regarded encryption as a type of weapon and restricted its export from the US to other countries. The US relaxed this law in the year 2000 and more information is available from the GnuPG site here.

What is it good for?

PGP can be used to protect a text (including documents or email messages) from prying eyes via encryption. It can also be used to verifty the authenticity of the contents of a text. With PGP, the author of a text can "sign" it with an encrypted signature that incorporates elements of the text itself. When the recipient verifys the signature, not only will they be able to verify the identity of the signer, but they will be able to tell if the text was altered in any way after it was signed. A document with an invalid signature is still readable, but PGP will notify you that the signature did not validate, either because a change has been made to some portion of the text after it was signed, or because the signing party's key is unknown. Signatures can be used whether or not the text of the document or message itself is encrypted. PGP can also be used to encrypt files with a password rather than a public key; this can be particularly useful when you are not yet sure who the recipient will be and therefore can't encrypt to a specific person's public key.

How does it work?

PGP uses a modified form of public key encryption, in which a mathematical algorithm generates two mathematically-related keys. A message encrypted with one key can be decrypted only by using the other key in the pair. The two keys are referred to as the public key and the private key. The public key can be given out freely to other users of PGP, or listed on a key server for public access. Others can then encrypt messages using this public key, knowing that the messages can only be decrypted when the public key‘s owner uses his or her corresponding private key. A single file can be encrypted to more than one recipient at a time using multiple public keys. Once a file is encrypted using a public key, not even the person who encrypted it can read that file without using a matching private key. The private key, as its name suggests, is kept by its owner and not given out to anyone.

PGP creates a public key/private key pair using a random number generator and a special encryption key generation algorithm, and uses a second form of encryption to protect the private key with a passphrase that the user supplies. This phrase (longer than just a word) must be supplied each time the user wants to decrypt a file using the private key. The passphrase that protects the private key is used for two important purposes: to decrypt messages that were encrypted to the public key, and to digitally sign a message using the private key. The key pair must be kept secure, with backup copies protected from theft or loss. It is best to choose a passphrase that won't need to be written down, and above all to avoid storing the passphrase on the same computer where the keypair resides.

Obtaining PGP

Gpg4win is a free GnuPG application created by the German Federal Office for Information Security. It is currently available for Windows 2000, XP 32/64, Vista 32/64, Windows 7 32/64, and Windows 8 32/64, and includes all necessary components that make it a viable and easy to use alternative to commercial PGP. Download it here. Be sure to verify the sha1sum of the downloaded app, contact Caltech Information Security if you need some help.

GPG is a cross platform application and GUI front ends are available for MacOS, MacOS 10.x, Windows, and Unix platforms. Current versions of the commercial PGP are available from PGP Corporation and include convenient email client plugins as well as PGPDisk for bulk encryption of groups of files and folders.

A Note About PGPNet

By default, some versions of commercial PGP try to install a driver for something called PGPNet. This is a proprietary VPN (virtual private networking) solution. Users of the Caltech VPN system, please note that PGPNet will prevent our own VPN client from working correctly. You will not be able to use our VPN system if you have PGPNet installed on your computer, even if you never use it. In addition, we have had reports that for WinXP users, installation of PGPNet can cause serious system problems, possibly necessitating an operating system rebuild. We strongly recommend doing a custom install of PGP and de-selecting PGPNet, so you can avoid this problem. If you already have installed PGPNet, go into your network control panel and remove it by hand.

PGP at Caltech

Additional decryption key
The commercial version of PGP allows keypairs to be generated with an automatic "additional decryption key" (ADK) set so that all messages encrypted to the public key, or signed using the private key, are also automatically encrypted to the pre-set ADK. This is critical when PGP is used for administrative purposes rather than for personal privacy. In a workplace environment, an individual might encrypt important files and then leave the organization or otherwise become unavailable. An ADK is also helpful in the event that a user forgets a passphrase or suffers a hard drive failure without good backups. The ADK's used by Caltech are kept in a secure location for use by IMSS Security or other authorized personnel in the event that a file encrypted with a Caltech key cannot be decrypted any other way. IMSS strongly recommends using public keys with ADK's whenever PGP is being used to encrypt official communications. Without use of an additional decryption key, loss of access to the keypair used to encrypt a file means total loss of the data contained in the file. This is sometimes an acceptable risk when PGP is used for personal files, but it is generally not acceptable for data related to institute business.

PGP keys with an ADK can be used with any OpenPGP-compliant version of PGP, but they must be generated using a special build of PGP. If you would like a PGP keypair with an ADK, please email security@caltech.edu.

Caltech's PGP Key Server

Caltech's PGP key server is ldap://pgp-server.caltech.edu. It is solely for Caltech PGP keys. To have your key placed on the Caltech key server, email security@caltech.edu. You'll also need to come by in person with your Caltech ID and verify your public key's "fingerprint". Under some circumstances this can also be done via your listed campus telephone extension. All PGP keypairs that are generated for official Caltech use are signed by the Caltech Security Master Key. If you'd like your key to be signed with the Caltech key, contact us atsecurity@caltech.edu.

Usage Instructions and Command Summary Sheets

PGP Commercial

PGP and OpenPGP-Compatible Freeware

More detailed guides (these are now outdated but still somewhat useful)

 

Requesting assistance with PGP

Need more help? Contact security@caltech.edu. Please let us know what operating system you are using PGP from, and what email program you use, to better allow us to assist you. Note that we only have the resources to provide assistance to Caltech personnel. If you are not affiliated with Caltech, please look elsewhere for assistance.